This phase is the first of several where the red team actively interacts with the target’s environment. Some of these phases tend to blend together, as the line between gaining initial access and establishing a foothold on the target network can be a fine one. In the gaining access phase, the red team takes steps to bypass the organization’s defenses and finds a way to establish some access to internal systems. In the next phase, the team works on improving this level of access to meet the objectives of the red team operation.

Scoping the Stage

The goal of this phase of the assessment is to gain access to the target environment and an initial foothold on the target network. This can be accomplished in a variety of ways, and, in the previous phase, the red team prepares a few rough plans on how to do so. In this phase, the red team selects a plan of action and executes it. If successful, the phase is completed. Otherwise, they continue the cycle of collecting information about the target system, selecting a plan of attack, and executing the plan until successful or the assessment has been rendered impossible to complete due to the detection of the attack by security personnel.

Achieving Phase Goals

The end goal of this phase is to create a foothold on the target network. To accomplish this, the red team needs to select a plan of attack and execute it, defeating digital and/or physical defenses on their way.

Identifying a Route

If the red team has done their job properly in previous phases, they have one or more plans for breaching the target network. If they have multiple plans or flexible plans, some options may be better and less likely to be detected than others. Ideally, one plan will have a high probability of success and a low probability of detection, giving the team a solid place to start from.

Depending on the specifics of the attack plan, there may be conditions that would make the plan more or less likely to succeed. At this point in the assessment, the team should identify these conditions and determine when and how best to launch the plan. For example, a network-based attack may be more likely to succeed outside of business hours when the security team is more likely to be understaffed and the potential of sneaking past increases. Attacking physical defenses may be easier at night when lockpicking is less detectable (since it’s dark) or during shift change or smoke breaks when the increased flow of people through the organization’s defenses gives the red team member a crowd to hide in. Identifying these potential advantages and adapting the attack plan to make use of them can be crucial to the success of a red team assessment.

Defeating Defenses

The goal of the target’s security team is keeping attackers like the red team out. The main goal of this phase of the assessment is bypassing or defeating the defenses put in place to protect the target network from unauthorized access. In the course of an assessment, the red team may need to defeat both digital and physical defenses.

Digital Defenses

The goal of digital defenses is to allow all of the right people and traffic in and keep all of the wrong people and traffic out. In trying to defeat these defenses, a red team has two main options: find a hole in the defenses or bypass them by becoming one of the “right people.”

Exploiting Vulnerabilities

Security programs and defenses on the target network are software, and software has bugs. Identifying and developing exploits for these vulnerabilities is what most people picture when they think of hacking. Security software vulnerabilities can be roughly broken into design and configuration flaws and implementation errors.

Design and configuration flaws are any case that the developer or user of the software didn’t anticipate when it was built or set up to protect the network. Hardcoded default passwords are a design flaw that pentesters can exploit. Allowing anonymous FTP connections are an example of a configuration error. Pentesters can identify and exploit these mistakes to gain access to systems.

Implementation errors are programming flaws in security software or any exposed services. These flaws are publicly announced once patches are available, but not all organizations apply patches promptly. The service detection and banner grabbing phase of target identification is invaluable for this since it allows identification of potentially vulnerable software without being as detectable as a full vulnerability scan. By cross-checking versions against a list of CVEs, the red team may find an unpatched vulnerability that would allow access to the system.

Bypassing Digital Defenses

The other main option for defeating digital defenses is bypassing them by becoming one of the “right people” in the eyes of the security software. Since most organizations use passwords as their means of authentication to systems, this typically means stealing a user’s password. This is a commonly-used tactic for hackers, with stolen credentials being used in 40% of incidents.  Password theft can be accomplished in a variety of ways.

If the red team has the ability to sniff network traffic (usually by connecting to company Wi-Fi), then password cracking is a good option. Many protocols send hashed passwords over the network and some even send unhashed ones. If a red team can gain access to password hashes, then cracking them with a tool like John the Ripper is a good option.

Gaining access is another use case where social engineering shines. Phishing emails that pretend to be from a trusted brand are a great way to get credentials. A recent poll has found that 75% of the respondents reuse passwords across personal and business accounts, meaning that phished credentials are likely to help in an attack. Phone-based phishing attacks, such as those pretending to be from the IT help desk, are another great way to get passwords. Social engineering can also be carried out physically (e.g., dropping infected USB drives in the company parking lot). If social engineering is within the scope of the assessment and can make the initial stage of gaining access easier, it should be used.

Pen-Testing Training

Physical Defenses

Many aspiring red team testers focus too much on the digital side of hacking and not enough on the physical. The main advantages of digital hacking are that it can be performed from anywhere and it’s more anonymous. However, physical attacks can achieve the same goals with much less effort by the red team if performed correctly.

Physical defenses can be either defeated or bypassed as well. Examples of defeating physical defenses include climbing over fences, picking locks or climbing through vents like your favorite action hero.

Bypassing physical defenses typically involves social engineering. Say you want to get through a locked door into the building. You could try to pick the lock, but odds are that you’ll be quickly caught and arrested. However, if you walk up to the door carrying a heavy box right after someone else, odds are they’ll hold it for you without a second thought.

By using a pretext that doesn’t set off someone’s mental defenses, a red team member can achieve their objective and slip through defenses much more easily. And physical access to the target often presents opportunities for a much more comprehensive and less detectable compromise of the target network.

Setting the Stage

The goal of this stage is gaining initial access to the target organization. A successful phase results in the red team having some level of access to a machine inside the target organization. Depending on the method of attack, the level of access may vary, but any level that provides the potential to expand deeper into the target network is a success.

In the next phase, the red team works to leverage this initial foothold into a more comprehensive beachhead that can be used to achieve the operational objectives of the assessment.

 

Sources

  1. Social Engineering Attacks and Mitigations Part IV: Tailgating, Binary Defense
  2. Search CVE List, CVE
  3. Less Than Half of Cyberattacks Detected via Antivirus: SANS, Dark Reading
  4. John the Ripper password cracker, Openwall
  5. Employees’ Poor Security Habits Getting Worse, Survey Finds, Infosecurity